rules:
  - id: actuator-endpoint-exposed
    pattern-either:
      - pattern: |
          management:
            ...
            endpoints:
              ...
              web:
                ...
                exposure:
                  ...
                  include: "*"
      - pattern: |
          management:
            ...
            endpoints:
              ...
              web:
                ...
                exposure:
                  ...
                  include:
                    ... 
                    - "*"
    message: Опасность доступа к endpoints приложения содержащими техническую и конфиденциальную информацию без прохождения процедуры проверки подлинности.
    metadata:
      cwe:
        - "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
      owasp:
        - A01:2021 - Broken Access Control
    severity: ERROR
    languages:
      - generic